Verso il nuovo standard ISO 22301 (BS25999) sulla Business

Continuity – Scenari e opportunità

Massimo Cacciotti – Business Services Manager BSI Group Italia

Agenda

BSI: Introduction

1. Why we need BCM?

2. Benefits of BCM

3. International Development of BCM

4. Getting started with BCM

5. Related standard to BCM: ISO/IEC 27000 series

Global

independent

business

services

organization

Founded

in

1901

No owners/

shareholders…all

profit reinvested

into business

>2,500 staff

and

>50% non-UK

53 offices

located around

the world

#1 certification

body in the UK,

USA and Korea

BSI’s Introduction

70,000 clients

in

150 countries

£235m

revenue in

2010

World’s #1

Standards

Body

Standards,

Assessment,

testing

certification,

training,

software

What our customers say about us…

BSI’s Introduction

Operations in 147 Countries

Global Presence

Worldwide Offices

London

Singapore

Washington Beijing

New Delhi

Mexico City

Sao Paulo

Sydney

52 Offices WorldwideMilano, Padova

• Assurance Services (Assessment and Certification)

• Training

• Governance, Risk and Compliance

• Testing services

• Healthcare Services

• Advisory Services

Our services

BSI Training

• We offer various types of training including:

� Awareness Training

� Implementation Training

� Auditor Training

• Our delivery options:

� Public training courses

� In-house training course

� e-learning courses

Custo

mer

journ

ey

Awareness Training

Implementation Training

Auditor

training

Convenzione AIEA – BSI

BSI Governance, Risk & Compliance (GRC)

Entropy™ Software

• A turn-key solution that provides the management system framework for fully functional integrated and auditable management systems including:

� Environmental Management – ISO 14001

� Health & Safety Management – OHSAS 18001

� Quality Management – ISO 9001

� Information Security Management – ISO/IEC 27001

� Supplier Compliance Management (C-TPAT & AEO)

� and other management systems standards

Business Continuity Management (BCM) facts and future trends

“Business Continuity Management (BCM) is a framework

for identifying potential threats to an organization and

building organizational capability to respond to such

threats, in order to safeguard the interests of key

stakeholders, reputation, brand and value-adding

activities”(1)

(1) Joint statement: Bristish Standards Institution, Business Continuity Institute, Cabinet

office, Chartered Management Institute

1. Why we need BCM

Definition

� Natural disasters

� Economic disruption and market turbolence

� Terrorism

� Physical security disruptions

� Infrastructure or IT failures

� Fraud or hacking

� New regulations

• Potential consequences:

� Employee safety jeopardized

� Reduced customer confidence

� Loss in image or brand equity

� Decline in revenues

� Decline in market share

Examples of Disruption

BCM

Risks

Are you prepared for disaster?CMI/BSI UK survey – March 2011

• 84% of managers realize the benefits of BCM planning

• 58% of managers report that their organization has BCM in place (significant YoY growth in SMB sector)

• Only 50% of organizations with BCM test their BC plan once a year or more

• 60% of organizations with BCM provide training to relevant staff

• Only 55% of organizations ensure that their supply chain have BCM plans in place

2. BCM: The Benefits & Business Case

• Expedite recovery after disruption

• Understand overall business exposure

• Prepared to respond should the unexpected occur.

• Raises awareness in the organization

• Proxy for good overall management.

• Demonstrates to customers, partners and other stakeholders that the organization takes a robust approach to risk

• Reassurance that the business can keep going

Perceived benefits of BCM

Managers’ views on BCM effectiveness

3. International development of BCM 25999

PAS 2003 BS 2006 ISO 2012

• Started as a “PAS” (Publicly Available Specification) by BSI (PAS 56)

• Moved to a BS 25999 in 2006 & 2007 in two parts as “Umbrella Standard”

• Scheduled to move to ISO in 2012 (ISO 22301)

International usage of BS25999

BSI� BSI translations into French, German and Spanish

� BS 25999 sold by BSI in over 100 countries

Other National Standards Bodies� Adoption of BS 25999 outside the UK (Brazil, Spain etc.)

� Local translation/distribution (Japan, China, Russia, etc.)

US� As part of the ‘PS-Prep program’ the US Department for

Homeland Security recommended 3 standards for BCM,

including BS 25999.

The new ISO 22301

• The growing success of the BSI developed BS 25999 has

prompted ISO (the International Organisation for

Standardization) to begin work on publishing an ISO

recognised standard which is expected to be released in

May 2012

• BSI is well placed to assist clients in making a smooth

transition to the new ISO standard in 2012 (ISO 22301)(ISO 22301)

19

4. Getting Started with BCMRecommendations

• Senior managers must take ultimate responsibility for the quality and robustness of their organizations BCM.

• Use BCM based on a common framework (such as BS 25999) as part of a wider programme and train employees

• Develop a clearly defined approach for responding to the media; BCM is “multi-functional” not just IT

• Review which suppliers are critical to your operations and ask whether they have BCM

• Test your BCM through regular exercises

BCM Standards

Code of Practice – Best practice, not auditable

Code of Practice – Best practice, not auditable

Requirements – Shall statements, auditableRequirements – Shall statements, auditableauditable

Management Systems

Common components of management systems:

• Policy

• Planning

• Implementation and operation

• Performance assessment

• Improvement

• Management review

Plan – Do – Check – Act (PDCA) Cycle

Interested

Parties

Interested

PartiesInterested

Parties

Interested

Parties

Business Continuity

requirements and expectations

Managed Business Continuity

Establish

Maintain and improve

Implement and operate

Plan

Check

Act Do

Monitor and review

Continual improvement of the Business Continuity Management System

Continual improvement of the Business Continuity Management System

PLAN: Understanding the Organization

• Identify critical activities

• Perform Business Impact Analysis (BIA)

• Evaluate threats to critical activities

• Determine continuity requirements

• Determine choices

Understanding

the

Organization

Business Continuity Policy

• Requires top management commitment and approval

• Includes objectives of business continuity and scope of business continuity management system

• Must be communicated

• Must be reviewed

• Should be appropriate to the nature, scale, complexity, geography and criticality of business activities

• Should reflect culture, dependencies and operating environment

PLAN: Determine Business Continuity Strategy

• Strategies are arrangements to enable an organization to recover

• Define and document incident response structure

• Determine how to recover each critical activity

• Manage relationships

Determining

BCM

Strategies

DO: Developing and Implementing a BCM Response

• Incident response structure and Crisis Management

• Incident management plan

• Business continuity plan

Developing and

Implementing

BCM Responses

Within minutes to days:• Contact staff, customers,

suppliers, etc.

• Recovery of critical business

processes

• Rebuild lost work-in-progress

Within minutes to hours:

• Staff and visitors

accounted for

• Casualties dealt with• Damage containment/

limitation

• Damage assessment

• Invocation of BCP

Sequence of Events of an Incident

Within weeks to months:

• Damage repair/replacement

• Relocation to permanent place of work

• Recovery of costs from insurers

TimelineTimeline

Incident!Incident!

Incident ResponseIncident Response

Business continuityBusiness continuity

Recovery/resumption – back to normalRecovery/resumption – back to normal

Overall recovery objective:

back-to-normal as quickly as possible

CHECK: Exercising, Maintaining, and Reviewing BC Arrangements

• Exercise program

• Exercise arrangements

• Maintaining BC arrangements

• Reviewing BC arrangementsExercising,

maintaining,

and reviewing

ACT: Embedding BCM in Organizational Culture

• Ensure BCM becomes part of the core values and effective management of the organization

• BCM education for all employees

• Evaluate the effectiveness of the BCM awareness delivery

SUMMARY

• Disruptions experienced by 8 out of 10 organizations - a real threat

• 8 out of 10 say benefits & business cases are strong for BCM

• Despite this, many organizations still unprepared for BCM

• BS 25999 is the leading global standard to help implement BCM

• BCM should be reviewed with suppliers

• Media coverage included in BCM strategy (reputational risk)

• Senior managers must take ultimate responsibility for BCM

• Many tools to assist your organisations in BCM

The Early Adopters of BCM

The ICT and

Finance sector are

the early adopters

of Business

Continuity

Management

Systems

ICT

Finance

Proffessional Services

Manufacture

Public Services

Minerals, Energy, Utilities

Built Environment

Transport

Healthcare

Food

Aero and Defence

Facilities & Retail

BSI 25999 certification clients

What is ISO 22301

Societal Security –

Prepardness and Continuity

Management System –

Requirements

What is ISO 22301

• Very similar to BS 25999-2

What are the key differences:

• Monitoring performance:

Introduces requirements for BCM/BCMS Metrics e.g. BIA update frequency, number of plans, numbersexercises completed, etc

• Operational Planning and Control:

Enphasis on operational planning and setting controlsfor BCMS

Certified Organisations - Transition

Decided by UKAS at the point of publication

• Certified Organisations have 12 to 18 months totransition, althought could be up to 3 years

• Part of Continuous assessment visits

• Additional visit will be necessary:

- differences between ISO 22301 and BS 25999-2

- Organisation size and BCMS scope

ISO/IEC 27000 Series - Published

2012ISO/IEC 27010 - Guidance for inter-sector and inter-organizational communications

2007ISO/IEC 27006 - Guidance to Certification Bodies

2011ISO/IEC 27007 - Guidelines for ISMS auditing

2011ISO/IEC 27008 - Guidelines for auditors on information security controls

2011ISO/IEC 27031 - Guidelines for ICT readiness for business continuity

2009ISO/IEC 27033-1 - Security Techniques, Network Security

ISO/IEC 27000 - Overview and vocabulary 2009

ISO/IEC 27001 - Information security management systems - Requirements 2005

ISO/IEC 27002 - Code of practice for Information security management 2005

ISO/IEC 27003 - ISMS implementation guidance 2010

ISO/IEC 27004 - Information security management - Measurement 2009

ISO/IEC 27005 - Information security risk management 2011

ISO/IEC 27011 - Guidance to telecommunications 2008

Other 27000 standards in development

(2014)Storage securityISO/IEC 27040

(2013/14)Selection, deployment and operations of intrusion detection and prevention systems ISO/IEC 27039

(2013)Specification for digital redactionISO/IEC 27038

(2013/14)Guidelines for identification, collection, acquisition and preservation of digital evidence

(possibly a 4 part standard)

ISO/IEC 27037

(2012/13)Information security for supplier relationships (4 part standard)ISO/IEC 27036

(2014)Information Security in Cloud Computing (relevant controls in 27001 - DP/Privacy)ISO/IEC 27018

(2012…)Guidelines for application security (6 part standard)ISO/IEC 27034

(2012)Guidelines for cyber-security ISO/IEC 27032

(2014)Information Security in Cloud Computing (relevant controls in 27001)ISO/IEC 27017

(2014/15)Information security management – Organizational economicsISO/IEC 27016

(2013)Information security management guidelines for financial services ISO/IEC 27015

(2012)Governance of information securityISO/IEC 27014

(2012)Guidelines on the integrated implementation of ISO/IEC 27001 & ISO/IEC 20000-1 ISO/IEC 27013

Evento 24 Maggio 2012 – primo in ItaliaConvegno ISO 22301-Business Continuity

Quando: 24 Maggio 2012 Milano

Dove: Camera di Commercio Milano – Via Meravigli 9b – Palazzo TURATI

Orario: 9,15 – 17,00

Iscrizioni: Viviana Rosa – Marketing & PR Manager

viviana.rosa@bsigroup.com